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Abstract 

The  paper  presents  a  relatively  complete  proof  system  for  proving  the  validity  of  temporal 
properties  of  reactive  programs.  The  presented  proof  system  improves  on  previous  temporal 
systems,  such  as  [MP83a]  and  (MP83b],  in  that  it  reduces  the  validity  of  program  properties 
into  pure  assertional  reasoning,  not  involving  additional  temporal  reasoning.  The  proof  system 
is  based  on  the  classification  of  temporal  properties  according  to  the  Borel  hierarchy,  providing 
an  appropriate  proof  rule  for  each  of  the  main  classes,  such  as  safety,  nsiMnse,  and  progress 
properties. 


1  Introduction  | 

Temporal  logic  is,  by  now.  one  of  the  acceptable  and  frequently  used  approaches  to  the  formal  f 
specification  and  verification  of  concurrent  and  reactive  programs.  Even  though  we  have  witnessed,  i 
over  the  last  several  years,  a  great  progress  in  the  automatic  verification  of  finite-state  programs,  I 

the  main  tool  for  establishing  that  a  proposed  implementation  satisfies  its  temporal  specification  is  * 

still  that  of  deductive  verification,  using  a  set  of  axioms  and  inference  rules.  | 

As  described  in  (MPS3a]  (see  also  [MP83b]  and  [PnuSG]),  a  proof  system  that  supports  the  ; 
verification  of  temporal  properties  over  reactive  programs  has  to  deal  with  three  types  of  validity.  ^ 

•  A-  Assertional  Validity.  This  is  the  veJidity  of  non-temporal  (state)  formulae  (also  called: 

assertions)  over  an  arbitrary  interpretation.  I 

•  T-  General  Temporal  Validity.  This  is  the  validity  of  temporal  formulae  over  arbitrary  se- 1 

quences  of  .states  (models).  |, 

•  V-  Program  Validity.  This  is  the  validity  of  temporal  formulae  over  sequences  of  states  which: 

represent  computations  of  the  analyzed  program.  | 

‘This  research  was  supported  in  part  by  the  National  Science  Foundation  under  grants  DCR-8413230  and  CCR-- 
8812395,  by  the  Defense  Advanced  Research  Projects  Agency  under  contract  N00039-84-C-0211,  and  by  the  United 
States  Air  Force  Office  of  Scientific  Research  under  contracts  AFOSR  87-0149  and  88-0281.  I 

I  Department  of  Computer  Science.  Stanford  University,  Stanford,  CA  94303  | 

^  Department  of  Applied  Mathematics,  Weizmann  Institute,  Rehovot,  Israel  | 


(  oiii thrsf'  tliioc  types  of  validity,  the  proof  sysfetn  mav  be  partitioned  into  tliree 
parts,  earl.  providuit;a.xioins  a. id  n.les  for  e.stablishing  the  validity  of  the  corresput.ding  tvpe.  Tliis  is 
essent.allv  tlie  stn.ctnrc  of  the  proof  system  presented  in  [MF»S3b].  where  we  r-fer  to  the  asserlional 
part  as  the  domain  part. 


The  program  part  presents  some  basic  proof  rules  and  some  derived  rules.  The  derived  rules  ' 
provide  diiect  support  for  proving  some  of  the  most  frequently  used  temporal  properties  of  programs,  i 

One  group  of  rules  establishes  the  validity  of  the  invariance  formulae  and  □(p  -♦  nq),  which 

express  the  invariance  of  a  state  formula  q,  cither  throughout  the  computation,  or  triggered  bv  the  ’ 
occurrence  of  p.  *  I 

r 

.Anothei  gioup  of  rules  establishes  the  validity  of  the  eventuality  formulae  O?  s^nd  □(p  — »  O9),  t 
which  express  the  guarantee  that  q  will  eventually  happen,  either  once  or  following  each  occurrence  ^ 
of  p.  I 

These  proof  rules  are  completely  satisfactory  for  establishing  this  restricted  but  very  prevalent  I 
set  of  temporal  formulae.  The  rules  derive  temporal  conclusions  from  asserlional  premises.  They  I 
have  been  proven  relatively  complete,  and  are  the  main  working  tools  for  verification  of  the  temporal  ^ 
properties  of  programs  (see,  e.g.,  [0LS2],  [MPS4],  [KroST]).  I 

However,  the  question  which  is  only  partially  answered  in  [MPS3a]  is  how  do  we  prove  all  the  I 
other  properties  whose  expression  in  temporal  logic  does  not  fall  into  the  restricted  class  of  invari-  I 
ance  and  eventuality  formulae.  The  partial  solution  given  there  is  a  general  relative  completeness  ? 
theorem,  which  shows  that  the  program  part  is  adequate  for  reducing  the  validity  of  a  temporal  | 
formula  over  a  given  program  (^-validity)  into  a  set  of  valid  formulae,  which  are  either  assertional  I 
(.4- valid),  or  temporal  but  valid  over  arbitrary  sequences  of  states  (T-valid).  I 

We  remind  the  reader  that  this  is  the  general  character  of  all  relative  completeness  results  i 
for  program  logics  such  as  Hoare  logic  ([AptSl])  or  Dynamic  Logic  ([Har79]).  Since,  as  soon  as  | 
we  consider  programs  that  operate  over  infinite  domains,  we  lose  the  possibility  of  having  true! 
completeness,  the  best  we  can  hope  for  is  relative  completeness  ((Coo7S]).  This  type  of  completeness  ! 
ensures  an  effective  reduction  from  the  validity  of  a  program  logic  statement  into  the  validity  of  a  I 
finite  number  of  assertional  statements.  *  fc 

Unfortunately,  the  reduction  given  in  [MPS.3a]  is  not  only  into  assertional  statements,  but  also  f 
into  generally  (T-)  valid  temporal  statements.  This  requires  a  proof  of  a  general  program  property  f 
to  be  based  not  only  on  assertional  reasoning,  but  also  on  temporal  reasoning,  which  is  less  familiar,  f 
even  to  a  person  who  js  well  versed  in  general  logic.  This  fact  has  been  considered  by  .some! 
researchers  a  deficiency,  and  has  caused  them  to  shy  away  from  the  temporal  proof  system  and  look  I 
for  alternative  formalisms,  in  which  a  complete  reduction  into  assertional  statements  is  euarantei'd  f 
([ASS9],  and  also  see  (MP87]).  | 

In  this  paper  we  attempt  to  remedy  the  situation  by  providing  a  richer  proof  system  for  the  * 
program  part,  which  ensures  complete  reduction  of  a  general  temporal  formula  (given  in  a  canonical  I 

form)  into  a  finite  set  of  assertional  statements,  whose  validity  imply  the  validity  of  the  original  f 
temporal  formula.  | 

The  approach  to  a  complete  proof  system  is  based  on  a  classification  of  temporal  properties  t 
according  to  their  expression  in  a  canonical  form,  which  applies  a  set  of  restricted  future  modal- 1 
ities  to  arbitrary  past  formulae.  This  classification  establishes  a  hierarchy  of  temporal  properties  | 
((MPS9]),  whose  classes  can  be  characterized  according  to  three  different  criteria.  We  have  already  I 
mentioned  their  characterization  in  terms  of  the  syntactic  form  of  their  canonical  represci.lati<..i.  f 


Allot Iior  rharactorizal ion  is  ><*nianticaK  looking  at  a  proportN'  as  the  set  of  all  sequences  which  ha\r 
tliis  [)i'()peity.  By  this  view  we  can  give  a  topological  chara('t(M ization  to  the  classes  in  our  hiei.n- 
chy,  locating  it  at  the  first  two  levels  of  the  Borel  hierarchy.  I'lie  third  cha  acterization  is  in  teiin^ 
of  structural  restrictions  on  the  Streett  automaton  that  recognizes  precisely  the  set  of  the  infinite* 
sequences  which  have  the  property. 

In  principle,  we  should  provide  a  separate  proof  rule  for  each  of  the  property  classes  in  our 
hierarchy.  In  practice,  we  concentrate  on  three  particular  classes,  which  have  special  significance 
as  expressing  most  of  the  interesting  program  properties,  and  forming  a  natuial  generalization  of 
the  two  classes  of  invariance  and  eventuality  properties  considered  in  the  previous  proof  systems. 
These  are  the  classes  of: 


•  Safety  Properties.  These  are  all  the  properties  that  can  be  expressed  by  a  temporal  formula 

of  the  form  I 

D,  I 

for  some  past  formula  q.  | 

I 

i' 

•  Response  Properties.  These  are  all  the  properties  that  can  be  expressed  by  a  temporal  formula  5 

of  the  form  | 

F 

□(p  ^  0<l)y  or  alternately,  DO?  | 

I 

for  some  past  formulae  p  and  q.  f 

!■ 

•  Progress  Properties.  These  are  all  the  properties  that  can  be  expressed  by  a  temporal  formula  - 

of  the  form  1 

□Op  -♦  GO?  i 

for  some  past  formulae  p  and  q.  | 

i 

We  provide  complete  rules  for  each  of  these  classes.  This  provides  full  coverage  for  the  entire? 
temporal  logic,  since  by  [LPZS5]  (see  also  [ThoSl]),  any  temporal  formula  is  equivalent  to  a; 
conjunction  of  progress  properties.  Therefore,  to  prove  the  7^-validity  of  'P,  it  is  sufficient  to  prove 
the  T’-validity  of  each  of  the  conjuncts,  for  which  we  can  use  the  rule  for  progress  properties.  j 


2  Programs  and  Computations 


The  bjisic  computational  model  we  use  to  represent  programs  is  that  of  a  fair  transition  syslnn.  In^ 
this  model,  a  program  P  consists  of  the  following  components.  | 

•  V  =  -  A  finite  set  of  state  variables.  Some  of  these  variables  represent  </«/</ 

variables,  which  are  explicitly  manipulated  by  the  program  text.  Other  variables  are  control 
variables,  which  represent,  for  example,  the  location  of  control  in  each  of  the  processes  in  a' 
concurrent  program.  We  assume  each  variable  to  be  associated  with  a  domain,  over  which  it 
ranges.  | 

•  S  -  A  set  of  stales.  Each  state  s  €  D  is  an  interpretation  of  V.  assigning  to  each  variable' 

y  €  V  a  value  over  its  domain,  which  we  denote  by  s[y).  | 
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•  T  -  A  of  Inni^itioix.  F.ach.tiaMsii  ion  r  eT  is  as^ocintcd  witli  -m  .i>M>rlion  /),(r.  T').  ^ 

called  llie  trnns,t,n„  rdalion.  which  refers  to  both  an  unprime, 1  and  a  priiiwd  version  ,>r  the  ' 
state  variables.  Tlie  purpose  of  the  transition  relation  p.  is  to  express  a  relation  between  a  ' 

state  s  and  its  successor  s'.  We  use  the  unprirned  version  to  refer  to  vahies  in  .s.  ."ind  tlie  , 

primed  version  to  refer  to  values  in  For  example,  the  assertion  x'  =  .r  +  1  states  that  the  ' 

value  of  j  in  s'  is  greater  by  1  than  its  value  in  s.  \- 

•  0  -  The  precondition.  This  is  an  assertion  characterizing  all  the  initial  states,  i.e.,  states  at  ; 
which  the  computation  of  the  program  can  start.  A  state  is  defined  to  be  initial  if  it  satisfies  ^ 

0.  i 

r 

•  C  =  {Cl , ....  Cr}  -  A  finite  set  of  continual  fairness  requirements  (also  called  justice  or  weak  I 

fairness  requirements).  Each  continual  fairness  requirement  C,  £  C  consists  of  two  sets  of ! 
transitions  C,  =  (C,, T,),  Ei  C  Ti  C  T ,  on  which  the  requirement  of  continual  fairness  is  1 
imposed.  Intuitively,  the  continual  fairness  requirement  {Ei,T,)  £  C  disallows  a  computation  I 
in  which,  beyond  a  certain  point,  £,  is  continually  enabled,  but  no  transition  of  T,  is  taken  f 
beyond  this  point.  | 

•  11=  {£, . -  A  family  of  recurrent  fairness  requirements  (also  called  strong  fairnessf 

requirements).  Each  recurrent  fairness  requirement  Ri£Tl  consists  of  two  sets  of  transitions  f 
^  ^  Q  Ei  C  T,  on  which  the  requirement  of  recurrent  fairness  is  imposed.  I 

Intuitively,  the  recurrent  fairness  requirement  (£,-,7i)  £  TZ  disallows  a  computation  in  which,  f 
beyond  a  certain  point,  £,  is  enabled  infinitely  many  times,  but  no  transition  of  Ti  is  taken  f 
beyond  that  point.  | 

We  define  the  state  s'  to  be  a  r-successor  of  the  state  s  if  | 

(s.s')|=p,(I/V'),  I 

where  (s,  s')  is  the  joint  interpretation  which  interprets  x  €  V'  as  s[j],  and  interprets  x'  as  s'{.r).  | 
Following  this  definition,  we  can  view  the  transition  r  as  a  function  t  :  E  2^,  defined  by:  I 

t(s)  =  {s'  I  s'  is  a  r-successor  of  s}.  | 

We  say  that  the  transition  r  is  enabled  on  the  state  s,  if  r(s)  ^  4>.  Otherwise,  we  say  that  r  is  [ 
disabled  on  s.  We  say  that  a  state  s  is  terminal  if  all  the  transitions  t  €  T  are  di.sabled'on  it.  The  I 
enabledness  of  a  transition  r  can  be  expressed  by  the  formula  I 

Enir):  (3V")MV;n  ; 

which  is  true  in  s  iff  s  has  some  r-successor. 

For  a  set  of  transitions  £  C  T,  we  say  that  £  is  enabled  on  s.  denoted  by  £/i(£),  if  some  ' 
transition  r  €  £  is  enabled  on  s,  and  that  £  is  disabled  on  s  if  all  transitions  r  £  E  Are  disabled  i- 
on  s.  I 

Given  a  program  P  for  which  the  above  components  have  been  specified,  we  define  a  computation  ^ 
of  P  to  be  a  finite  or  infinite  sequence  of  states  <t  :  so,  ^ i ,  ^2,  •••,  satisfying  the  following  requirements:  j 


•  Initiality 


So  is  initial,  i.e.,  sq  |=  0. 
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•  C'oiisfiifl  ion 


I'or  i'a<  li  /  —  0,  1 .  t ln‘  state'  .'^^.  +  1  <'  ^-'■Mrcpssoi  o(  tlif*  stato 

.<j  +  i  €  for  sotiK'  T  €  T.  Ill  tliis  rase-,  we  say  that  tlu'  liaiisitioii  r  i-- 

tnhrn  at  |H)sition  j  in  (t.  For  a  set  of  transitions  T  C  T.  we  say  that  T  is 
tdken  at  position  j,  if  some  t  £  T  is  taken  at  j. 

•  Termination  Either  a  is  infinite,  or  it  ends  in  a  state  si-  which  is  terminal. 

•  Continual  Fairness  For  each  (E,,T,)  €  C  it  is  required  that,  if  E,  is  continually  enabled  beyond 

some  point  in  cr,  then  T,  must  be  taken  at  infinitely  many  positions  in  a. 

•  Recurrent  Fairness  For  each  {E,,Ti)  €  7^  it  is  required  that,  if  E,  is  enabled  on  infinitely  many 

states  of  (7,  then  Ti  must  be  taken  at  infinitely  many  positions  in  <t. 

For  a  program  P,  we  denote  by  Comp{P)  the  set  of  all  computations  of  P.  For  simplicity,  we  will  only 
consider  programs  for  which  T  is  alwavs  enabled.  Such  programs  have  only  infinite  computations,  f 

I' 

3  Temporal  Logic  I 

•  I 

I 

We  assume  an  underlying  assertional  language,  v/hich  contains  the  predicate  calculus,  and  inter-  f 
preted  symbols  for  expressing  the  standard  operations  and  relations  over  some  concrete  domains.  | 
For  the  sake  of  completeness,  we  require  that  one  of  the  domains  is  that  of  the  integers,  or  another  t 
domain  with  similar  expressive  power.  We  refer  to  a  formula  in  the  assertional  language  as  a  state 
formula,  or  simply  as  an  assertion.  | 

•A  tempered  formula  is  constructed  out  of  state  formulae  to  which  we  apply  the  boolean  operators  * 
and  V  (the  other  boolean  operators  can  be  defined  from  these),  and  the  following  basic  temporal  f 
operators:  I 

O  “  Next  0  -  Previous  | 

U  -  Until  5  -  Since  | 

A  model  for  a  temporal  formula  p  is  a  finite  or  infinite  sequence  of  states  cr  ;  ,  where  * 

each  state  Sj  provides  an  interpretation  for  the  variables  mentioned  in  p.  For  simplicity,  we  will  ^ 
only  consider  the  case  of  infinite  models.  f 

Given  a  model  a,  as  above,  we  present  an  inductive  definition  for  the  notion  of  a  temporal  ! 
formula  p  holding  at  a  position  j  >  0  in  a,  denoted  by  {(T,j)  |=  p. 

•  For  a  state  formula  p, 

(^,  ^)  P  Sj  p. 

That  is,  we  evaluate  p  locally,  using  the  interpretation  given  by  Sj. 

•  K;)l=pV9  <=>  {crJ)^pOT  {<T,j)^q 

•  i<^J)  1=  Op  <=>  {<^yj  + 1)  h  p 

•  j)  1=  P^<1  <=>  for  some  k  >  j,  {c,  k)  ^  q, 

and  for  every  »  such  that  j  <i  <  k,  {er,  i)  |=  p 

•  (rr,  j)  h  0p  j  >  0  and  {<T,j  -  1)  |=  p 

•  N  P"^?  for  some  k  <  j,  (a,  it)  f=  7. 

and  for  every  i  such  that  j  >i  >  k,  (a,i)  [=  p 
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Additioii.tl  temporal  operators  can  be  defn.ed  a-,  fonous; 


Cl’  —  ^Up  -  Eventually 

□yj  =  ~  Henceforth 

=  Dp  V  (pUq)  -  Unless 


K'p  —  tSp  -  SoiTietiinf’s  in  the  past 

□  p  =r  -i<3>-np  ^  Always  in  the  past 

pSq  “  0p  V  ipSq)  ~  Weak  Since 


Another  useful  derived  operator  is  the  entailmevt  operator,  defined  by: 


p^q  <==>  Q[p  ^ 


5i’ 


"1 


A  formula  that  contains  no  future  operators  is  called  a  past  formula.  A  formula  that  contains 
no  past  operators  is  called  a  future  formula.  Note  that  a  state  formula  is  both  a  past  and  a  future 
formula.  We  refer  to  a  past  formula  [future  formula]  that  is  not  also  a  state  formula,  as  a  strict-past 
[strict-future,  respectively]  formula.  For  a  state  formula  p  and  a  state  s  such  that  p  holds  on  s  ue 
say  that  s  is  a  p-state. 

If  (a,  0)  h  p,  we  say  that  p  holds  on  a,  and  denote  it  by  <r  p.  A  formula  p  is  called  satisjiable 
If  It  holds  on  some  model.  A  formula  is  called  (temporally)  valid  if  it  holds  on  all  models. 

Two  formulae  p  and  q  are  defined  to  be  equivalent  if  the  formula  p  =  q  is  valid,  i.e  |=  p  ilf 
O'  [=  g,  for  all  cr.  ^ 

The  notion  of  validity  defined  above  is  the  notion  of  T-validity.  Given  a  program  P,  we  can 
resUict  our  attention  to  the  set  of  models  which  correspond  to  computations  of  P,  i.e.,  Comp(P). 
This  leads  to  the  notion  of  P-validity,  by  which  p  is  P-valid  if  it  holds  over  all  the  computations  of 
P.  Similarly,  we  obtain  the  notions  of  /^-satisfiability  and  P-equivalence. 


Canonical  Form  and  Classification 

By  [LPZS5]  (see  also  [ThoSl]),  every  temporal  formula  is  equivalent  to  a  formula  of  the  form 

n 

A(°Op.  V007<), 

1=1 

for  some  past  formulae p,,9,,t  =  l,...,n. 


Based  on  this  canonical  form  we  can  classify  the  properties  expressible  by  temporal  logic  ac¬ 
cording  to  their  expressibility  by  restricted  cases  of  this  general  formula.  We  list  below  the  main 
classes  in  this  classification,  specifying  their  temporal  characterizations.  For  each  class  we  present 
the  form  of  the  temporal  formulae  that  express  the  properties  in  that  class,  where  the  subformulae 
appearing  there  are  arbitrary  past  formulae.  We  refer  the  reader  to  |MP89]  for  additional 
properties  and  characterizations  of  this  hierarchy. 


•  Safety  Properties 

•  Teimination  Properties 

•  Intervnittence  Properties 

•  Multiple  Intermittence  Properties 

•  Response  Properties 


-  Op. 

-  Op- 

-  op  V  oq- 

-  Ar=i(op.  vo<7.). 


-  DOp. 
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•  p€r,<n.<trticc  Proi>t  rhrs 

•  Progrr,<s  Propirtus 


~  onr 

-  DO;'  V  OD7. 


Mumpk  Pro, n,.  Proper, irr  -  Ar.,(DO;..  V  Oa,.). 

As  stated  above,  the  multiple  progress  cl  vss  is  the  maximal  class  of  pr 


temporal  logic. 


properties  express! blr  l.v 


4  Rules  for  Safety 

From  now  on,  we  fix  onr  nltcntion  on  a  program  P,  specified  by  tbe  components  (V,  S.T.e.f.  TC).  ’ 
tecin  ferZlI  h!^tr  r°'  '“'7  “‘'‘'’"“'''"S  «'  *  *»lely  formnla.'  As  we  > 

to  /^d  ’■  -lative : 

t 

f 

{PT^p)-*q\  denoted  by  {p}r{7},  | 

rt'ostii."  ?f  ‘"“’i'*''"  f “"esponding  to  r,  and  the  prrmed  version  of  the  assertion  ! 

for  two  statet  a°.nd’a-r'^  ™  P"”"*  Si""  P,  I'olds  f 

to  s«  thit  “*"''*  '“f  ^  “f  “xl  ?'  sfotes  that  ,  holds  on  s',  it  is  not  difficult  1 

I 

Jr^aleTsf  “s“‘“°"  ”  of  >  I 

I' 


INV  II.  Q  -up 

12.  V>-*q 

13.  fV^lTly) 
aq 


IroLlatdT  and  by  pretnise  13  is 

propagated  from  each  state  to  its  successor.  This  shows  that  9  is  an  invariant  nf  o!! 

folbwl\lut  Xo  —  f  computations  of  P.  Since,  by  12,  the  assertion  9  implir^t 

louows  tnat  q  is  also  an  invariant  of  the  program.  ^ 


Generalizing  to  Pa?t  Fonnnlac 


Nrxt.  \\T  have  to  cxlf'tul  tiie  INV  rule  to  deal  witli  formulae  r/.  which  are  past  foil  vi'.ae.  First,  wr 
extend  the  notion  of  the  piimed  version  of  a  formula,  to  apply  also  to  a  past  formula.  Recall  that 
the  intended  meaning  of  a  primed  formula  is  to  exprc.ss  the  value  of  a  formula  in  the  next  .state,  in 
terms  of  the  values  of  the  variables  in  the  next  state  and  in  terms  of  values  in  the  current  state. 
This  is  inductively  defined  as  follows: 


•  For  a  state  formula  p(V'),  we  define  as  before 

ip{v)Y=Pin 

•  For  a  previous  formula 


(Op)'  =  p.  f 

•I; 

This  corresponds  to  our  intuition  that  Op  holds  in  the  next  state  iff  p  holds  now.  | 

For  a  since  formula  | 

{pSqY  =  9' V  ((p5g)  A  p').  I 

h 

This  corresponds  to  the  intuition  that  pSq  holds  in  the  next  state  if,  either  7  holds  tliere,  or  f 


pSq  holds  now  and  p  holds  next. 


With  this  definition,  we  extend  the  notion  of  the  verification  condition  {p}t{7}  to  apply  also  to' 
past  formulae  p  and  7,  and  to  mean  I 

(PrAp)=J-g'.  I 

Note  that  since  we  work  with  temporal  formulae,  we  replaced  the  previous  implication  by  an  en-f 

tailment,  because  we  expect  the  implication  to  hold  at  all  positions  of  the  computation,  not  onlv^ 
at  the  first  one,  \ 

With  this  extension,  the  general  single  rule  for  establishing  safety  properties  is  given  by  I 


SAFE  Si. 

(0  A  first) 

S2. 

9=J-7 

S3. 

MT{v>) 

□7 

I 

The  implications,  appearing  in  the  premises  II  and  12  of  the  mv  rule,  have  been  replaced  in  the  safe' 
rule  by  the  entailments,  appearing  in  the  premises  Si  and  S2.  In  Si  we  also  added  the  conjunct  Krst? 
which  is  an  abbreviation  for  the  formula  -»Qt,  characterizing  the  first  position  in  the  computation,! 
as  the  only  position  that  has  no  predecessor.  This  conjunct  is  sometimes  necessary  to  ensure  that^ 
9  holds  in  the  first  position. 


S 


A  Miiiiinai  Gi'iioral  I*art 


1-  x.'n'.inirp  tlie  premiers  S!  S->  of  the  SAFr,  rrlc,  we  oliserve  lliat  t!iey  all  have  the  form  of  tein|).,!,.!  ; 
fo"miiIao,  which  arc  actii.all\  other  ."^atety  fornmlac.  How  arc  there  to  Ix’  proven  '  It  seeinr  that  we  • 
need  sonic  additional  rules,  belonging  to  the  general  part.  These  rule.s  enable  ns  to  jnove  soti;/- 
temporal  formulae  that  are  generally  valid,  i.c.,  hold  over  any  sequence  of  states,  iinrelaferi  to  anv 
particular  program. 

The  first  rule  we  consider  is  the  rule  of  temporal  instantiation,  which  piovitles  a  liasic  tool 
for  deriving  temporal  validities  from  assertional  ones.  Let  q  be  a  state  formula  containing  the 
propositional  symbol  p,  and  let  be  a  temporal  formula.  VV'c  denote  by  <i['r/p]  the  temporal 
formula  obtained  from  q  by  replacing  all  occurrences  of  p  by 


msT 


Dq['P/p] 


Note,  in  particular,  that  if  7  has  the  form  t  -+  r  then  the  temporal  conclusion  is  an  entailmcnt  of 
the  form  <(‘r’/p)  =i~r(9/p].  This  rule  is  often  used,  without  any  instantiation,  to  derive  the  temporal 
validity  of  07  from  the  assertional  validity  of  7.  In  these  cases,  it  is  sometimes  referred  to  as 
generalhation. 

The  next  rule  we  consider  can  be  viewed  as  stating  the  monotonicity  of  the  temporal  operator 
O.  For  two  temporal  formulae  p  and  7,  we  can  interpret  the  entailment  p=^q,  i.e.,  ofp  -»  7),  as 
an  ordering  relation  between  the  formulae,  stating  that  p  is  smaller  (stronger)  than  7.  Indeed,  for 
a  sequence  <7,  p=>~q  claims  that  the  set  of  positions  at  which  p  holds  is  contained  in  the  set  of 
positions  at  which  7  holds.  Monotonicity  of  the  □  operator  states  that  if  p^q,  and  Dp  is  valid, 
then  so  is  07.  \ 


This  rule  can  also  be  viewed  as  a  temporal  version  of  Modus  Ponens,  where  entailment  replaces 
implication.  In  fact,  the  two  preceding  rules  provide  a  formal  support  for  many  elementary  ma¬ 
nipulations,  such  as  substituting  equals  for  equals,  and  using  any  instantiation  of  propositional 
tautologies.  VVe  refer  to  any  such  manipulation  as  justified  by  propositional  reasoning.  I 

In  addition  to  these  very  genera!  rules,  we  need  in  our  general  part  some  properties  which  are^ 
specific  to  the  initial  part  of  a  sequence  of  states.  These  will  enable  us  to  draw  some  conclusions  * 
from  the  formula  first,  as  is  needed  in  premise  Si  of  the  safe  rule.  | 

These  are  presented  by  the  following  two  fucioms: 

•  I-PREV:  first  =>- --Op 

•  i-siNCE:  Rrst  =^(j^pSq)  =  7) 

The  l-pREV  axiom  states  that  no  prerio ws  formula  can  hold  at  the  initial  position  of  any  sequence.^ 
The  i-siNCE  axiom  states  that  the  formula  pSq  can  hold  at  the  initial  position  iff  7  holds  there. 


'i 


.:ygy 


The  Completeness  of  the  safe  Rule 

V\e  iioceed  to  consider  the  applicability  of  the  safe  rule  to  the  proofs  of  safety  properties.  First, 
we  present  an  e.\-nini)Ie,  illustrating  its  use. 

Example  4.1  Consider  the  trivial  program  with  a  single  state  variable  .t,  precondition  j  =  0.  and 
a  single  transition  r  whose  assertion  is  given  by  /),  :  x'  =  a-  +  1.  Observe  that  this  program  has  a 
single  infinite  computation,  given  by  (z  :  0),  (z  :  1),  (z  :  2), ... 

We  wish  to  prove  for  this  program  the  trivial  safety  property 

□  ((z  =  10)  -k3>(z  =  5)). 

This  property  claims  that  any  state  in  which  z  =  10  must  have  been  preceded  by  a  state  in  which 
z  =  5.  Note  that  this  trivial  property  would  not  be  true  for  a  program  that  advances  in  steps  of  2, 
rather  than  steps  of  1. 

To  prove  this  property,  we  identify  ?  as  (z  =  10)  <S>(z  =  5)  and  intend  to  use  the  safe  rule. 

As  the  auxiliary  formula  ¥>,  we  take  (x  >  5)  ^  <$>(z  =  5).  The  rule  requires  showing  the  following 
three  premises: 

51.  [(z  =  0)  A  first]  =>  ((x  >  5)  -♦  <3>(z  =  5)] 

52.  ((z  >  5)  <S>(z  =  5))  =?►  ((z  =  10)  —  o(x  =  5)) 

53.  [(x'  =  z  +  1)  A  ((x  >  5)  -4  <s>(z  =  .5))]  ={-  ((.t'  >  5)  -4  (<3>(z  =  5)  V  (z'  =  5))] 

In  S3  we  have  already  expanded  (<3>(z  =  5))'  into  (<S>(x  =  5)  V  (z'  =  5)).  All  of  these  apparently 

temporal  formulae  can  be  estab.ished  by  the  inst  rule,  using  the  following  three  valid  state  formulae, 
and  their  associated  instantiations. 

VI.  ((z  =  0)  A  p)  -4  ((z  >  5)  -4  r) 

with  the  replacement  of  (first,  ^(x  =  .5))  for  the  proposition  symbols  {p,r),  respectively. 

V2.  ((.i  >5)^p)-4((z=10)-»p) 

with  the  replacement  of  ^(z  =  .5)  for  the  proposition  symbol  p. 

V3.  ((.r'  =  z  +  1)  A  ((z  >  5)  p)]  -4  [(z'  >  5)  -»  (p  V  (z'  =  5))] 

with  the  replacement  of  0(z  =  5)  for  the  proposition  symbol  p. 

Theorem  7.2,  presented  in  Section  7,  establishes  the  adequacy  of  the  safe  rule  by  stating: 

Tht  SAFE  rale  is  complete,  relative  to  assertional  rnUdity,  for  proving  the  V’Validity  of 
any  safety  property. 

The  proof  of  tiie  theorem  is  based  on  the  construction  of  a  big  past  invariant  which  relates  the 
values  of  variables  in  an  accessible  state  (i.e.,  appearing  in  some  computation  of  P)  to  the  boolean 
values  of  the  temporal  sub-formulae  of  the  past  formula  q,  whose  invariance  we  wish  to  establish. 
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Causality  Formulae 


['.\cn  though,  in  theory,  the  conipU’teriess  theorem  above  fully  settles  the  question  of  proving  tlie 
validity  ol  safety  formulae,  there  is  a  practical  interest  in  identifying  special  forms  of  safety  formulae, 
for  which  a  specific  proof  methodology  exists.  One  of  these  subclasses  contains  the  propeities 
expressible  by  the  causality  formula 

P=>-<$>9  •  ; 

for  past  formulae  p  and  </.  The  causality  formula  states  that  every  p-state  is  necessarily  preceded 

by  a  9-state.  i 

! 

To  present  a  proof  rule  for  causality  properties,  we  define  first  the  inverse  verification  condition,  • 
denoted  by  and  standing  for  the  entailment  i 

{prAp')=^q.  I 

The  validity  of  this  condition  ensures  that  any  r-predecessor  of  a  p-state  must  be  a  q-state.  The  * 

condition  is  extended  to  sets  of  transitions  T  C  T  in  the  usuaJ  way.  Then,  the  following  rule  is- 
adequate  for  proving  causality  properties.  I 


t - 

CAUS  Kl. 

;)=j^(9  Vq) 

K2. 

(0  A  first)  =>--’9 

K3. 

{9}T-‘{9V  q} 

P=i-<S>q 

By  premise  Kl,  any  state  satisfying  p.  either  already  satisfies  q,  or  satisfies  the  auxiliary  past! 
formula  <p.  By  premise  K3,  the  predecessor  of  any  <p-state  must  satisfy  9  V  q.  Thus,  if  we  do  not  f 
find  a  q  preceding  p,  9  propagates  all  the  way  to  the  initial  position.  However,  this  contradicts' 
premise  K2,  according  to  which  the  initial  position  cannot  satisfy  9.  I 

I' 

Incremental  Proofs  | 

In  the  previous  paragraphs,  we  have  considered  how  to  establish  the  invariance  of  some  pcist  for- } 
mulae.  Having  established  some  basic  invariants  of  this  form,  we  may  want  to  use  them  in  order  to? 
derive  more  complex  properties.  For  this  purpose,  we  quote  agsun  the  s-MON  rule,  which  suggests  a^ 
strategy,  to  which  we  refer  <is  the  incrcmentality  principle.  According  to  this  principle,  we  establish" 
first  the  validity  of  a  simpler  safety  property  Dp.  Later,  whenever  we  have  to  establish  the  validity^ 
(over  P)  of  a  premise  that  has  the  form  dV’,  we  can  instead  establish  the  validity  of  p=>-V’-  I 


5  Rules  for  Response  I 

Response  properties  are  those  which  can  be  expressed  by  a  formula  of  the  form  I 

p=^Oq,  or  equivalently  □(p —*  O9)  I 

for  some  past  formulae  p  and  q.  Now  that  we  have  learned,  in  the  previous  section,  how  to  generalize, 
rules  having  assertional  premises  into  rules  with  temporal  premises  involving  past  formulae,  it  is^ 
straightforward  to  properly  adapt  the  set  of  rules  from  [MP83a].  The  rules  for  establishing  response: 
properties  can  be  partitioned  into  single-step  rules  and  extended  rules.  We  consider  each  group  in' 
turn. 
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Rules  for  Single-Step  Response 


lese  are  the  rules  that  establish  properties  that  depend  on  the  execution  of  a  single  lieipfnl 
transition  (which  may  be  selected  out  of  several  candidates)  to  accomplish  the  guaranteed  response 
q.  We  have  three  rules  in  this  group,  which  differ  by  the  type  of  fairness  on  which  they  rely. 

The  first  rule  unconditio? of  any  fairness  assumption,  and  only  relies  on  the  fact  that  as 
long  as  there  are  c  .  rbled  transitiois,  some  transition  will  eventually  be  taken. 


B-IIESP  Bl. 

p-^(9V9) 

B2. 

MT{,) 

B3. 

V=!-(?V£n(7)) 

p^Oq 

The  rule  coiisiders  three  past  formulae  p,q,  and  the  auxiliary  9.  Premise  Bl  requires  that  any; 
p-state,  either  already  satisfies  q,  or  satisfies  9.  Premise  B2  requires  that  taking  any  transition  from  ? 
a  9-state,  must  lead  to  a  (/-state.  Premise  B3  requires  that  at  least  one  transition  must  be  enabled  s 
on  each  9-state  that  does  not  satisfy  q.  Clearly  such  a  transition  must  be  taken  next,  resulting  in  ^ 
a  9-state.  °  | 

The  next  single-step  rule  relies  on  continual  fairness  to  ensure  that  eventually  a  helpful  transition,  I 
leading  to  q,  will  be  taken.  It  assumes  a  continual  fairness  requirement  {E,  T)  eC.  '  I 


C-RESP  Cl. 

p=>-{qv<p) 

C2. 

{'P]T{qVq>} 

C3. 

Mtm 

C4. 

9=>-(9  V  En{E)) 

P=^Oq 

Premise  Cl  ensures,  as  before,  that  p  entails  q  or  9.  Premise  C2  states  that  any  transition  of  the! 
program,  either  leads  from  9  to  q,  or  preserves  9-  Premise  C3  states  that  any  transition  in  the  I 
helpful  set  T  leads  from  9  to  q.  Premise  C4  ensures  that  E  is  enabled  as  long  as  9  holds  and  f 
q  does  not  occur.  It  is  not  difficult  to  see  that  if  p  happens,  but  is  not  followed  bv  a  q,  then  9  t 
must  hold  continuously  beyond  this  point,  and  no  transition  of  T  is  taken.  However,  due  to  Cl,  ^ 
this  means  that  E  is  continuously  enabled  beyond  this  point,  which  violates  the  requirement  of 
continual  fairness  represented  by  {E,T). 

The  last  rule  relies  on  a  recurrent  fairness  requirement  (£,r)  €  TZ. 


R-RESP  Rl. 

p=>-(9  V9) 

R2. 

{^)T{q\fV>} 

R3. 

MTM 

R4. 

V=i-0(tVEn(E)) 

P=^Oq 
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1  Ik-  fliiri’K'na’  Ix'twcrn  this  ruir  and  its  c-version  is  in  the  fourth  |;rniiise.  While  C4  requires  that 
r  entails  the  occnn.-iue  of  </  or  the  enabling  of  E  now.  R4  requires  the  evenltial  occurrence  of  q 
or  enabling  of  E.  Here,  an  occurrence  of  p  not  followed  by  a  q.  leads,  as  before,  to  >r  holding 
conlinnonsly.  and  no  transition  of  T  being  taken.  However,  the  weaker  premise  R4  guarantees 
that  E  is  enabled  inlinitely  many  times,  which  suffices  to  violate  the  recurrent  fairness  requirement 
{E,T). 

In  view  of  the  fact  that  premise  R4  appears  to  be  of  the  same  form  as  the  conclusion,  i.e.,  another 
response  formula,  one  may  wonder  whether  we  may  not  enter  a  circular  loop,  trying  to  prove  trne 
response  property  by  another.  The  answer  to  this  problem  is  that  when  we  prove  premise  R4,  we 
actually  consider  a  simpler  program,  in  w'hich  none  of  the  transitions  of  E  is  ever  used.  This  is 
because  the  first  time  a  transition  of  E  can  be  taken,  we  have  already  achieved  the  goal  of  a  state  : 
on  which  E  is  enabled.  f 

k. 

I 

Rules  for  Extended  Response  | 

These  lules  combine  single-step  response  properties  to  form  general  response  properties^  which  need 
more  than  a  single  helpful  transition  for  their  achievement.  I 

I 

First,  we  list  two  basic  rules,  which  express  the  monotonicity  and  transitivity  of  response  prop-  ! 
erties.  They  properly  belong  to  the  general  part.  I 


a-MON  p=^-g  ,  r=yt 
q^Or 

n-TRNS  p^Oq 

q=yOr 

P=yot 

p=yOr 

The  most  important  rule  for  establishing  extended  response  properties  is  based  on  well-founded^ 
induction.  | 

We  say  that  the  binary  relation  >-  over  the  set  A  (often  presented  as  the  pair  (.4,  >-))  is  «;e//-| 
founded,  if  there  does  not  exist  an  infinite  sequence  ao,ai, ...,  where  a,  €  A,  such  that  y  a,+i  for! 
all  *  =  0,1,....  I 

For  the  relation  >-,  we  denote  by  -<  its  inverse  relation,  i.e., 

a  -<  b  6  >- 

and  by  :<  the  reflexive  extension  ; 

a^b  <=>  {a  ~<  b)  or  (a  =  b). 

Assume  a  well-founded  relation  (.A,  ^),  and  a  partisi!  ranking  function  8  :  S  *— ♦  A,  mapping' 
states  into  the  domain  A.  We  denote  the  fact  that  6  is  defined  by  8  ^  A.  The  following  rule  uses 
well-founded  induction  to  establish  an  extended  response  property.  I 


WELl-aESP  Wl. 

p=y{qy<p)  ! 

W2. 

<p=y{8  €  >1) 

W3. 

(s?  A  («  =  o)]  0(9  V  (y^  A{8  ^  o))] 

P=yOq 
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Premise  V\  1  ensures  lluit  /)  entails  that  either  q  already  holds,  or  s’  is  established.  Premise  \V2 
eiisure.s  that  6  is  dclineil  as  long  as  v’  holds.  Premise  VV;]  guarantees  that  if  'P  holds  with  a  certain 
latik  n,  then  eventually  we  will  reach  a  state,  in  which  cither  q  holds,  or  is  tiiaiiitained  but  ’ 
with  a  tank  lower  than  q.  Since  a  well-founded  ranking  cannot  go  on  decreasing  forever,  we  must 
eventually  reach  a  g-state.  : 

The  adequacy  of  this  set  of  rules  for  proving  response  properties  is  established  in  Theorem  7.3  ' 
presented  in  Section  7,  which  states:  j 

The  rules  given  above  ore  complete,  relattve  to  assertional  validity,  for  proving  the  "P-  I 
validity  of  any  response  property.  ■ 


6  Rules  for  Progress  | 

In  this  section  we  deal  with  progress  properties,  which  are  the  properties  that  can  be  expressed  by  t 
a  formula  of  the  form  '  | 

□OpVOD^,  I 

for  some  past  formulae  p  and  q.  There  are  several  alternative  forms  in  which  every  progress  property  \ 

can  be  recast.  They  are  given  by  | 

I 

□Op  -♦  DOq,  or  OOp=^Oq.  | 

If 

We  prefer  to  work  with  an  extended  form  of  the  last  formula;  | 

(p  A  □0r)=J-09.  I 

This  formula  states  that  any  occurrence  of  p,  that  is  followed  by  infinitely  many  occurrences  of  r,| 
must  eventually  be  followed  by  an  occurrence  of  q,  1 


Progress  under  Continual  Fairness 

If  we  work  only  under  the  assumption  of  continual  fairness,  that  is,  the  family  of  recurrent  fail 
requirements  happens  to  be  empty,  then  we  can  base  the  proof  of  progress  properties  on  5 
response  properties  and  a  well-founded  argument.  This  is  given  by  the  c-prog  rule. 


mess  I 
some; 


c-paoG  Cl. 

P=^{qy'T>) 

C2. 

€  A) 

C3. 

{9  A  (^  =  Q:)]  =>- 

Yl 

< 

C4. 

(r  A  9  A  (^  =  0)] 

^  0[q  V  0)]  1 

(pAOOr)=J^O? 

Note  that  this  rule  uses  the  Unless  operator  U.  I 

Premise  Cl  of  the  rule  ensures  that  any  position  that  oatisBes  p,  either  already  satisfies  q.  orl 
satisfies  Premise  C2  ensures  that  S  is  defined  as  long  as  ^  holds.  Premise  C3  ensures  t lint. I 
starting  at  a  position  satisfying  and  having  a  defined  rank  q,  is  continuously  maintaincHl  and| 


H 


th('  ratik  never  increases  above  <>  until  (/  occurs,  if  ever.  Premise  04  indicates  that  an  additional 
orcitrretice  of  r  st  i  entti  lien.s  t  he  noii-itu're,ise.  guar  a  ti  teed  by  03,  into  a  gnarant  <'ed  ev*’tit  ttal  <lecr<'a^e. 
Thus,  if  there  are  inlinitely  tnany  occurretices  ol  v  then,  either  6  decreases  itifinitelv  often,  which  is 
impo.ssible  due  to  well-foundednes.s.  or  </  is  eventually  realized. 

The  adequacy  of  this  rule  is  stated  by  Oorollary  7.1,  presented  in  Section  7,  which  claim.s; 

For  a  program  with  no  recurrent  fairness  requirements,  the  C-PROG  rule  is  complete, 
relative  to  assertional  validity,  for  proving  the  V~validity  of  any  progress  property. 

Obviously,  a  progress  property  (p  A  oOr)=^Oq  can  be  valid  over  a  program  due  to  the  fact 
that  the  simpler  response  property  p=^Oq  is  valid.  The  theorem  above  depends  on  a  particular 
mechanism  to  guarantee  that  infinitely  many  occurrences  of  r  cause  the  eventual  occurrence  of  q. 
This  mechanism  is  based  on  a  ranking  function,  measuring  the  distance  away  from  the  realization 
of  q,  such  that  each  occurrence  of  an  extra  r  causes  an  eventual  decrease  in  the  rank. 

Progress  under  Recurrent  Fairness 

When  we  have  recurrent  fairness  requirements,  a  well-founded  decrease  is  not  the  only  mechanism 
by  which  infinitely  many  occurrences  of  r  can  cause  the  computation  to  progress  from  p  to  q. 
Another  possible  mechanism  is  based  upon  a  recurrent  fairness  requirement  (E,T)  €  7^,  such  that 
each  transition  in  T  leads  from  p  to  q,  and  each  occurrence  of  r  causes  E  to  eventually  become 
enabled  (at  least  once).  Consequently,  the  rule  c-prog  is  no  longer  adequate. 

To  cover  the  case  of  recurrent  fairness,  we  present  first  a  single-step  rule  for  progress  under 
recurrent  fairness.  The  rule  concerns  a  recurrent  fairness  requirement  {E,T)  €  7J,  and  past  formulae 
p,  r,  q,  and  ‘P. 


R-PROG  Rl. 

p=*-(9  VP) 

R2. 

{s9}r{<7vv’} 

R3. 

{^]T{q} 

R4. 

[P  A  □OCV’  A  r))  =>-  0(9  V  En{E)) 

(p  A  OOr)  =>-<C>9 

This  rule  establishes  a  single-step  progress,  under  the  assumption  of  the  recurrent  fairness  re¬ 
quirement  {E,T)  €  “R.  Several  single-step  progress  properties  can  be  combined,  using  the  properties 
of  monotonicity  and  transitivity  of  the  progress  formula.  Below  we  present  two  rules,  properly  be¬ 
longing  to  the  general  pjirt,  for  these  two  properties. 


P-MON  p'=^p,  r's^r,  q=y^ 

(p  A  DOr)  =^0'7 

P-TRNS  (p  A  □<>»•)  =>■  Oq 
{qADOr)=^Ot 

(p' A  □Or')=4^09' 

(p  A  □<>»•) 

Finally,  we  have  a  well-founded  rule  for  combining  together  progress  properties  using  induction. 
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wELL-rnoG  \V1. 

\VJ. 
WM.  1 

V  -p) 

r  =>-(<^  € 

[p  A{6  =  q)A  DOr]  =f-C>(7  V  (V*  A  {<)  k  a))l 

[p  A  □0r]=^-07 

This  more  general  case  is  summarized  by  Theorem  7.4  presented  in  Section  7. 

The  rules  given  above  are  complete,  relative  to  asserlional  validity,  for  proving  the  V- 
validity  of  any  progress  property.  I 

1; 

I 

7  Completeness  of  the  System 

In  this  section  we  sketch  the  general  ideas  that  lead  to  the  (relative)  completeness  of  the  rules  I 
presented  earlier.  Since  the  most  innovative  part  of  the  proof  system  presented  in  this  paper  is  the  I 
incorporation  of  past  formulae,  we  structure  the  completeness  proof  into  two  major  steps,  the  first  ! 
of  which  is  the  elimination  of  the  past.  The  second  step  is  left  to  deal  with  the  restricted  case  of  | 
safety,  response,  and  progress  properties,  where  the  subformulae  p  and  7  are  only  state  formulae,  f 


Encoding  Past  Formulae 

VVe  define  a  temporal  formula  as  stratified  if  it  contains  no  future  operator  within  the  scope  of  a 
past  operator.  Obviously,  all  formulae  in  canonical  form  are  stratified,  because  they  never  apply 
past  operators  to  strict-future  formulae. 

Let  us  fix  our  attention  on  a  program  P  and  a  stratified  formula  <P,  whose  validity  over  P  we 
wish  to  establish. 


I" 

?■ 


Define  $  to  be  the  set  of  subformulae  of  ¥>  (possibly  including  <p)  whose  principal  operator  is  a  \ 
past  operator,  i.e.,  Q  or  S.  We  define  a  set  of  new  boolean  variables  B  consisting  of  a  variable  bp  * 
for  each  formula  p  €  We  intend  to  use  tha  variable  bp  to  encode  p,  i.e.,  as  a  variable  that  will  be  \ 
true  at  a  position  in  a  computation  iff  the  formula  p  is  true  there. 

Let  7  be  a  subformula  of  V,  and  p  a  subformula  of  7.  We  define  p  to  be  ^-maximal  in  7  if 

•  p  €  and 

•  there  is  no  r,  another  subformula  of  7,  such  that  r  G  $  and  p  is  a  proper  subformula  of  r,  i.e., 
strictly  conteuned  in  r. 

% 

Let  pi,  ...,p^  be  all  the  ^-maximal  subformulae  of  7.  We  define  the  statification  (i.e.,  encoding 
of  past  formulae  as  state  formulae)  of  7,  denoted  by  stat{q)  (or  7,),  to  be 

stat{q)  :  q[bpjpi,...,bp^/pn]. 

That  is,  stat{q)  is  obtained  from  7  by  replacing  all  occurrences  of  the  subformula  p,-  by  the  vjtriablef 

,  foi  i  =  1 . n.  It  is  not  difficult  to  see  that,  in  the  special  case  that  7  is  a  past  formula,  slat{q)\ 

is  H  state  formula. 
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Replacing  past  foirnulac  by  l)ooleaii  varial)les  is  olivionsly  not  enoiigli,  unless 've  <'aii  guaranto*' 
that  in  all  positions  of  the  computation  the  variable  bp  assumes  liir  same  truth  value  a-  />.  To 
achieve  this  we  modify  the  program  P,  given  by  the  system  (T,  !:.T.0.C.  7v),  to  obtain  its  slntifi,,! 
version  P„  given  by  where  we  define: 

•  y  =  V  ^  B.  That  is,  we  augment  V  by  the  new  boolean  variables  in  B. 

*  ^  ~  The  set  of  interpretations  over  V.  Variables  in  B  should  be  assigned  boolean  values. 

*  ^  Corresponding  to  each  t  we  place  in  T  a  transition  f,  whose  transition  relation  is 

given  by  pV  =  Pr  A  N.  The  assertion  N{V,V*)  controls  the  evolution  of  the  variables  in  B  ] 
between  each  state  and  its  successor,  and  ensures  that  it  corresponds  to  the  evolution  of  the  ' 
past  formulae  they  stand  for.  The  assertion  iV  is  a  conjunction  containing  a  conjunct  C(p)  ■ 
for  each  p  £  These  conjuncts  are  given  by:  i 

■  C(Op)  :  =  stai{p).  .  | 

This  conjunct  guarantees  that  the  boolean  value  of  6q^  in  the  next  state  equals  the  ! 
truth-value  of  stat(p)  in  the  current  state.  i 

.  CipSq)  :  y  =  1(s(3!(,))'  V  (6,5,  a  (»I<.1(p))')J.  j 

This  conjunct  guarantees  that  6^5^  is  true  in  the  next  state  iff  either  stat{q)  holds  there,  f 
or  st<it{p)  holds  there  and  holds  now.  | 

-  I 

•  0  :  QAJnit.  The  assertion  Init  ensures  that  the  initial  value  of  each  variable  bp  £  B  matches  ; 

the  initial  value  of  the  past  formula  p.  The  assertion  Init  contains  a  conjunct  T(p)  for  each  | 
p  €  $,  given  by:  | 

»  2’(Op)  :  -’&Qp-  I 

This  conjunct  states  that  all  previous  formuleie  are  initially  false.  | 

•  ^pSq)  :  =  stat{q).  | 

This  conjunct  states  that  the  only  way  for  pS q  to  hold  at  the  first  state  in  a  computation  | 
is  for  stat{q)  to  hold  there.  j 

The  structure  of  the  fairness  families  C  and  U  is  identical  to  that  of  C  and  TZ,  except  for  the  [ 
trivial  renaming  of  each  r  to  f .  | 

Example  7.1  Consider  the  simple  program,  presented  in  Example  4  above,  which  was  given  by  f 
V  =  {i},  T  =  {t},  where  p, :  x'  =  x  -f  1,  and  0  :  x  =  0.  The  formula  considered  there  is  I 

<P  :  □{(x=  10) -»0(x  =  5)).  I 

Clearly,  for  this  case  $  =  {0(x  =  5)},  yielding  a  single  boolean  variable  6,  corresponding  i 
to  the  past  formula  •$>(x  =  5),  which  is  an  abbreviation  for  t5(x  =  5).  Consequently,  we  havef 
stat{fp)  :  □((x  =  10)  -♦  6),  and  the  statified  program  P,  is  given  by:  I 

•  V  =  {.r,  6).  .  I 

•  ^  where  (following  some  simplifications)  p,  :  (x'  =  x  -J-l)  A  {b'  =  [(x'  =  .5)  V  />]).  | 


•  0  :  (,r  =  0)  ^  (/» (.r  =  5)).  wliicli  is  «-quivnIrnl  to  (x  =  0)  A  -/). 

Theorem  7.1  (Past  Elimination)  | 

•  Tht  formula  is  valid  over  P  iff  stat{'P)  is  valid  over  P,.  | 

•  Any  proof  of  P,  h  ttstn^  the  proof  system  presented  in  this  paper,  \ 

can  be  effectively  transfoimed  to  a  proof  of  P 

I 

I- 

f- 

Proof:  The  first  statement  of  the  theorem  follows  from  the  fact  that  there  is  a  one-to-one  corre- 
spondence  between  computations  of  P  and  computations  of  P,,  such  that  for  every  <7,  a  computation  : 
of  P y  and  <7,  the  corresponding  computation  of  Pj,  position  j,  and  past  formula  p  £  |; 


h  {(>P  =  t). 


This  fact  can  be  proved  by  induction  on  j  =  0, 1, ...  and  structural  induction  on  p  €  | 

The  second  statement  of  the  theorem  is  proven  by  showing  that,  replacing  each  line  h  f  in  the! 
proof  of  P,  t-  Ip,  by  the  line  K  stat~‘(0),  we  obtain  a  sound  proof  of  P  h  9.  The  transformations 
stat  *(^>)  replaces  each  occurrence  of  bp  in  V’  by  the  past  formula  p,  each  occurrence  of  6p  by  ff,f: 
and  each  occurrence  of  0  and  pV  by  0  and  pr,  respectively.  I 

A  detailed  proof  of  this  fact  considers  the  different  justifications  for  the  line  H  il\  and  shows  the! 
corresponding  justifications  for  h  s<at“*(0).  | 

An  illustrative  case  in  point  is  a  proof  line  stating  the  validity  of  the  verification  condition! 

for  the  simple  case  that  p  and  q  are  state  formulae,  and  that  the  line  is  justified  by  I 
generalization  of  a  valid  state  formula.  | 

This  leads  to  the  proof  line  f 

which  can  be  written  as 

I-  If.  A  (6;^,  =  V  (6,5,  A  p')l)l  6;s,,  , 

which  is  equivalent  to  I 

Pr  =>■  {?'  V  (6^5^  A  p')).  I 

.Since  p,  does  not  refer  to  6^5^,  this  line  can  be  valid  only  if  p,  -»  9'  is  a  valid  state  formula.^ 
.Applying  stat~^  to  pT=^b'  ^  ,  we  obtain  K 

H  pr=>-(p59)', 

j  t 

which  expands  to 

•"  =>-  (9'  V  {(p59)  A  p')]. 

Clearly,  the  validity  of  pr  -*  9',  claimed  above,  can  be  used  to  justify  this  line. 

A  small  technical  problem  is  that  a  naive  substitution  of  a  past  formula  p  for  the  variable  />„! 
may  restilt  in  formulae  that  are  not  allowed  in  our  syntax.  A  case  in  point  is  a  state  fornuila^ 


o(6p),  in  which  the  variable  bp  falls  in  the  scope  of  a  quantification  (on  some  other  variable).  Our| 


syntax  dot's  not  allow  quaiuitu  ation  over  temporal  fornnilao  t liat  ai«' not  statr  fommlae.  TorosoK.' 
tills  problem.  w<'  observe  that  the  state  formula  o(/»p)  is  equivalent,  in  all  contexts,  to  the  hnninla 
A  o(t))  V  (-'hf.  A  o(f)).  in  which  the  occurrences  of  hp  are  outside  any  scopes  of  quantifu  aliens 
|rerformed  in  o.  Substitution  in  this  latter  form  will  result  in  a  formula  that  is  allowed  by  our 
syntax.  ^ 

We  should  emphasize  that  the  systematic  elimination  of  the  past  from  formulae  an'’  proofs, 
which  facilitates  establishing  the  completeness  of  the  proof  system,  is  not  necessarily  the  approach 
we  recommend  for  the  actual  verification  of  concrete  programs.  On  the  contrary;  we  stronglv 
recommend  working  directly  with  past  formulae  which  explicitly  represent  the  relevant  facts  about 
the  history  of  the  computation  leading  to  the  current  state.  For  e.xample,  we  find  the  invariant 
□((x  =  10)  — ♦  <$>(x  =  .5))  much  more  appealing  and  explicit  than  the  encoded  version  □((x  =  : 
10)  -4  b),  accompanied  by  the  tacit  understanding  that  6  =  T  iff  we  have  passed  in  the  past  through  ; 
a  state  in  which  i  =  5.  I 

Having  shown  how  the  past  can  be  systematically  eliminated,  and  replaced  by  state  formulae,  it  ? 
only  remains  to  show  that  the  rules  given  above  are  adequate  for  proving  the  validity  of  the  three 
classes  of  formulae:  i 

□p  P=^Oq  (p  A  □0r)=t>-09,  I 

for  the  restricted  case  that  p,  q,  and  r  are  state  formulae.  These  cases  are  more  familiar,  and  the  r 
completeness  of  similar  rules,  for  the  cases  of  the  safety  and  response  classes,  has  been  previously  I 
discussed  in  several  places,  such  as  (LPSSl),  [GFMdRSS],  [FraSG],  [ASS9],  and  [MPS7].  | 

Since  we  have  restricted  our  attention  to  state  formulae,  it  is  sufficient  to  show  that,  whenever  Oq  | 
is  valid  over  the  program  P,  we  can  prove  this  fact,  using  the  INV  rule.  Premise  13  is  proven  by  ? 
showing  that  (p,  A  ip)  — » <p'  is  a  valid  state  formula  for  every  r  €  T.  | 

Theorem  7.2  (Completeness  of  Safety)  The  rule  iNV  is  complete,  relative  to  assertioncl  valid-  i 
Ity,  for  proving  the  validity  of  safety  formulae  of  the  form  nq,  where  q  is  a  state  formula.  | 

Proof:  The  bcisic  idea  of  the  proof  is  the  construction  of  an  assertion  X  that  holds  in  a  state  s  ; 

iff  s  is  accessible,  i.e.,  appears  in  some  computation  of  P.  We  then  show  semantically  that,  if  Dq  is  j 
indeed  valid  over  P,  then  the  premises  of  the  iNV  rule  are  valid  when  taking  \  for  V’.  | 

We  assume  that  our  data  domain  is  expressive  enough  to  encode  records  (i.e.,  lists)  of  data ' 
elements,  and  lists  of  records.  In  the  definition  of  the  assertion,  we  freely  use  the  auxiliary  variable  f 
r  ranging  over  records,  and  a  variable  A  ranging  over  lists  of  records.  We  are  mainly  interested  in  I 
records  r  of  size  |K|,  and  often  write  r  =  V  to  denote  that  the  record  r  contains  a  list  of  elements | 
equal  to  the  current  values  of  the  state  variables  V.  We  use  the  subscripted  expression  A(t]  to  refer  f 
to  the  t-th  element  of  A,  and  the  expression  last{X)  to  refer  to  the  last  element  of  A.  For  an  assertion  I 
v(P)»  referring  to  the  state  variables  V,  and  a  record  r  of  size  equal  to  that  of  V,  we  denote  bv  >^(c)| 
the  assertion  <P  in  which  the  value  r[»)  is  substituted  for  the  state  variable  u<  6  V,  for  i  =  1,...,  |l  |.| 

The  assertion  X  is  given  by:  I 

X{V)  :  3A:  (|A|  >0)AaA/?A7).  | 

The  body  of  the  assertion  X  (to  which  we  refer  as  ^'(1.  A))  consists,  in  addition  to  the  requircinonif 
that  A  is  non-empty,  of  three  clauses,  given  by:  I 
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<>  ;  (-)(A!l]) 

1-  V,(1<,<|A|):  V  MA[.],A(.  +  1)). 

reT 


The  assertion  ,\  states  the  existence  of  a  list  of  records  A  of  length  n  =  |A|  >  0.  The  list  A 
encodes  the  history  of  a  computation  from  some  initial  state  to  the  current  state.  Each  element ' 
A(i],  i  =  1, n,  is  a  record  of  data  elements,  representing  the  values  of  the  state  variables  V  at  tl-.e ; 
i-th  state  of  the  computation.  | 

Clause  a  states  that  A[l)  satisfies  0,  the  initial  assertion  of  the  program.  I 

I 

Clause  /?  states  that  the  current  state  variables  V  equal  last{X)  =  A[n],  the  last  record  in  A.  | 

Clause  7  states  that  the  (i  +  l)-st  record  of  A,  for  each  :  =  -  1,  is  a  r-successor  of  the? 

i-th  record,  for  some  transition  t,  guaranteeing  the  correct  succession  from  A[l]  to  A[j?].  | 

VVe  will  show  now  that  X,  when  substituted  for  validates  the  three  premises  of  the  INV  rule,  f 


11.  0  -  X  I 

It  is  not  difficult  to  see  that  taking  A  to  be  (V^),  i.e.,  the  list  consisting  of  the  single  record- 
containing  the  current  values  of  uj,  the  assertion  0(1^)  implies  the  body  'I'(V,  A).  | 

12.  X  — >  9  I 

By  our  assumption  that  is  valid  over  P,  it  follows  that  each  accessible  state  satisfies  q.  f 
Since  X  characterizes  precisely  the  accessible  states,  the  premise  follows.  | 

13.  [pr{V,  V)  A  3A  :  «»( v;  A)]  3A' ;  «»( V',  A'),  for  each  r  6  T.  ’  I 

It  is  not  too  difficult  to  see  that  if  V,  V',  and  A  satisfy  />,( V,  V")  A  'P( V,  A),  then  there  exists  a| 

A'  which  satisfies  A').  An  appropriate  choice  is  | 

A':  A*{r},  I 


i.e.,  the  list  obtained  by  appending  to  the  end  of  A  an  additional  record,  consisting  of  the  list{ 
of  the  values  of  the  primed  variables  V.  | 

Since  we  are  interested  in  showing  completeness,  relative  to  assertional  validity,  it  is  sufficicnt|! 
to  show  that  the  premises  are  assertionally  valid,  as  we  have  done  above. 

Response 

As  a  complete  rule  for  establishing  response  properties  of  the  form  p=^Oq,  for  the  restricted^ 
case  that  p  and  q  are  state  formula,  we  propose  the  following  f-resp  rule,  which  is  an  appropriate^ 
combination  of  the  weil-resp,  c-resp,  and  r-resp  rules.  As  usual,  the  rule  stipulates  the  existence; 
of  an  auxiliary  assertion  V’,  a  well-founded  relation  [A,  y),  and  a  partial  ranking  function  ^  :  S  •-»  >1,; 
mapping  states  into  the  domain  A.  | 

Since  we  intend  to  combine  together  continual  and  recurrent  fairness,  it  is  helpful  to  form  the 
union  of  the  continual  and  recurrent  fairness  requirements  into  one  set  of  fairness  requirements' 

^  =  CUTI.  I 

i, 
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r.UKsr  I'l.  __  ^  , 

F'J.  v''=^-(('i  fE  ; 

F3.  W^.\(6  =  a)}  T  {qv(^-A{S^a))} 

For  each  a  6  >1,  there  exists  a  fairness  requirement  Fa  =  {Ea,Ta)  €  T,  such  that  ■ 

F4.  {^A(<5  =  q)}  7;  {9v(<,?A(^  ^a))} 

If  Fa  €  C,  then  j 

C5.  [v’ A  ((5  =  a)]  =4-  (g  V  £^n(£c)) 

If  Fa  €  'R.,  then  i 

R5.  j 

A  (<5  =  a)]  o\qV  A  {S<  a))  y  i:Ti(E„)|  _  | 

P=^Oq  } 

- -  ■--  .  ■  ....  ti 

This  rule  combines  vvell-foundedness  with  single-step  rules.  For  each  parameter  a  €  -4,  the  rule  I 
requires  the  identification  of  a  fairness  requirement  that  can  be  either  a  continual  fairness  f 

or  a  recurrent  fairness  requirement.  In  both  cases,  it  is  required  (by  premise  F4)  that  any  transition  | 
in  Tq  leads  from  each  v^-state  s  with  rank  a  to  a  state  s\  that  either  satisfies  or  satisfies  ^  with  a  ^ 
rank  strictly  lower  than  a.  Any  transition  not  in  Ta  is  required  (by  premise  F3)  to  lead  from  each  ^ 
9-state  with  rank  q  to  a  state  $\  that  either  satisfies  7,  or  satisfies  9  with  a  rank  not  higher  than  ^ 

“■  ...  i 

For  the  case  that  {Ea,Ta)  is  a  continual  fairness  requirement,  premise  C5  requires  that  each  \ 
<,P-state  with  rank  o,  either  satisfies  q,  or  enables  Ea.  For  the  case  that  {Eo,Ta)  is  a  recurrent  5 
fairness  requirement,  premise  R5  requires  that  each  V?-state  s  with  rank  a  is  eventually  followed  by  | 
a  state  s',  that  either  satisfies  q,  or  satisfies  with  a  rank  lower  than  o,  or  enables  Ea-  To  avoid  I 
circularity,  premise  R5  is  to  be  proven  for  a  simpler  program,  in  which  Fe,  =  {Ea,To)  is  removed  f 
from  the  list  of  fairness  requirements.  This  is  feasible  because  when  trying  to  achieve  a  state  in  I 
which  Ea  is  enabled,  we  cannot  be  helped  by  any  transition  of  £a,  since  its  activation  from  a  state  | 
s'  implies  that  E^  is  already  enabled  on  s'.  I 

The  following  lemma  establishes  a  connection  between  an  arbitrary  well-founded  relation  and  a  I 
well-founded  ranking.  Such  a  ranking  is  required  for  the  rule  f-resp.  I 

i': 

Lemma  7.1  Let  B  be  a  well-founded  relation  over  the  set  S.  Then  there  exists  a  total  rankingl 

function  6  :  S  Ordinals,  mapping  each  element  of  S  into  some  ordinal,  such  that:  f 

а.  sBs'  -*  S{$)  >  S{s').  I 

б.  If  s'Bs"  sBs"  for  every  s"  €  S,  then  5(s)  >  tf(s').  I 

Based  on  this  lemma,  we  can  now  state  and  prove  the  main  completeness  theorem.  | 

Theorem  7.3  (Completeness  for  R.esponse)  The  rule  f-resp  is  complete,  relative  to  asser-  { 
tional  validity,  for  proving  the  validity  of  response  formulae  of  the  form  p^Oq.  where  p  and  q  nrc  ■ 
state  formulae.  t 


.  - 


r  roof.  .1,0  fonnnl.  r^Oq  to  l,o  val.d  ovor  the  program  P.  Wo  have  to  show  th- ' 

<x, Sterne  ol  a„  appropr.ato  asse.t.on  a  wol!-foun<!od  ordering  (^,  v).  a  ranhi„o  :  v  _ 

A  and  a  seleetnrn  function,  identifying  for  each  a  €  ^  a  fairness  rcquireme„,  f  =  (F  T)  r. 
/•.  such  t  at  to^Aher  they  satisfy  the  premises  of  the  f-uesp  rule.  Due  to  the  increment:!,,; 

theorem  accessibility,  and  whose  invariance  over  P  has  been  established  by  the  preceding 

We  define  a  (computation)  segment  to  be  a  finite  sequence  of  states  <t  :  s,  5,  for  k  >  1  ' 
such  that  for  every  t  =  1 . -  1,  is  a  r-successor  of  s.,  for  some  r  6  T.  W;  say  that  the  : 

t^eTtes's  We  define  a  segment  to  be  g-Jree  if  none  of 

. . ''hen  we  refer  to  a  segment,  we  mean  a  9-free  segment,  f 

VVe  define  the  assertion  9  required  by  the  f-resp  rule  as  follows.  I 

s  f=  s?  There  exists  an  accessible  p-state  s  and  a  7-free  segment,  | 

connecting  i  to  5.  | 

tpci?'^'^  expressed  in  our  assertion  language,  using  " 

techniques  similar  to  the  ones  used  for  defining  X  in  the  theoiem  about  safety.  ^  | 

It  is  clear  that  if  tl«  state  s  satisfies  <p,  and  seme  computation  contains  s  at  position  7,  then  ^ 
due  to  the  assumed  validity  of  p=j-Og  there  must  be  a  later  position  k>j  satisfying  q.  '  | 

It  isdso  obvious  that  defined  in  this  way,  satisfies  premise  Fl  of  the  rule,  i.e.,  p=^(.  v  s^).  f 
us  is  because,  if  s  is  an  accessible  p-state  which  does  not  satisfy  q,  then  we  can  take  J  =  s  and  the  ^ 
singleton  segment  s,  connecting  s  to  itself,  as  a  justification  for  the  claim  that  s  satisfies  9.  We  can  • 

Sple  ""  elsewhere  to  accessible  states  only  due  to  the  incrementality  * 

I 

Let  the  family  of  combined  fairness  requirements  T  consists  of  the  sets  where  each  f 

i-.  «s  either  a  continual  fairness  requirement  or  a  recurrent  fairness  requirement.  Without  loss  of  * 

eacrbe  n ’  fairness  requirement,  consisting  of  a  pair  of  sets,  ^ 

_  -h  being  ‘J'e  7  set  of  transitions  T.  For  a  segment  <t  :  s,,...,5*  and  a  fairness  requirement  ^ 

,  e  .7^,  we  say  that  Fi  -  (£,,  7;)  is  fulfilled  in  <7  if  one  of  the  following  holds  ^ 

•  Some  transition  of  Ti  is  taken  in  <t.  | 

•  Fi  IS  a  continual  fairness  requirement,  and  F,  is  disabled  on  .some  state  in  <t.  ! 

in  W  1 . ‘hat  Fi  is  fulfillerl  I 

m  IT.  Let  $  denote  the  set  of  all  states  satisfying  s^.  We  define  a  binary  relation  B  on  $  by:  I 

sBs  There  exists  a  9-free  segment  it  connecting  s  to  5,  such  that  sat{(r)  =  I 


We  claim  that  B  is  a  well-founded  relation  over  This  is  because  an  infinite 


sequence 


s'Bs*B.s\.., 


gives  rise  to  a  computation 


•  5  ♦  •••» •••1 
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sue!)  f'lat  i-;  initi.d,  >  s.it  istK’--  p.  rind  no  st.ito  Ik-voiuI  .<  s.itisfu-s  7.  Such  a  computation  oliaion-ly 
vi('!.il''s  our  a'isunipt ion  tlmt  i>=i~-^q  ir,  xalid  over  f\  Tlio  fart  that  the  sequence  rahove  is  a  cons- 
putation,  in  particular  that  it  satisfies  all  the  fairness  reciuiienients.  hinges  on  the  assumption  that 
llie  satisfiability  set  of  each  segment  s', is  the  full  set  {1 . m}. 

A''cor<Jing  to  Lemma  7.1.  there  exists  a  ranking  function  <*>0  :  4'  Ordinals,  mapping  states  i.n 
^  into  tlie  ordinals. 

Let  5  be  a  V’-state  and  s'  a  successor  of  s.  If  s'  does  not  satisfy  q,  then  it  is  also  a  9-state,  In 
this  case  we  show  that  >  So{s').  This  inequality  is  ensured  by  clause  b  cf  Lemma  7.1,  provided 
we  show  that  for  every  s",  s'Bs"  implies  sBs". 

Indeed,  let  s"  be  a  state  such  that  s'Bs".  By  the  definition  there  exists  a  segment  er'  :  s' . s"  i 

connecting  s'  to  s",  such  that  saf (cr')  =  {1,  ...,Tn}.  It  is  obvious  that  the  segme- «  <t  :  i 

formed  by  appending  s  to  the  beginning  of  s',  connects  s  to  s",  and  that  sat{a)  =  m}.  This 

establishes  sBs".  f 


The  ranking  6q  is  not  fine  enough  to  uniquely  identify  the  fairness  set  Fa-  We  therefore  augment  f 
it  by  a  secondary  ranking  (5i  defined  as  follows.  f 

i“ 

For  a  segment  a,  we  define  the  deficit  of  cr,  denoted  by  A(<r),  to  be  the  smallest  positive  integer ; 
i,  such  that  iq  is  not  fulfilled  in  cr.  In  the  case  that  sat{a)  =  {1,  —im),  A(<t)  is  defined  to  be  m  -t- 1.  * 
We  define  a  segment  cr :  Si , ...,  Sjt  to  be  leveled  if  6o(5i)  =  ...  =  ^o(5/().  I 

I 

For  every  9-state  s,  we  define  its  secondary  ranking  ^i(s)  by  f 

6i{s)  =  mai{A(<T)  I  <T  is  a  leveled  segment  departing  from  s  }.  | 

I 

The  complete  ramking  function,  to  be  used  in  the  rule,  is  formed  by  the  lexicographical  pairing 
^(s)  =  (^o(5),^i(s)).  The  range  of  the  function  6  is  defined  to  be  A,  the  set  of  all  pairs  of  the  form 
(Q;o,t)>  where  ao  is  an  ordinal  and  t  <  m  4- 1.  | 

The  ordering  >-  over  A  is  defined  by  ;• 

(oo,  0  V  (Oq,  t')  <=>  (cro  >  o{,)  V  ((ao  =  aj,)  A  (i  >  *'))  | 

.  Clearly,  this  ordering  is  well-founded.  \ 

i 

There  are  several  properties  these  ranking  functions  satisfy.  | 


Pi.  For  every  9-state  s,  6i(s)  <  m.  | 

Let  (T  be  a  leveled  segment  connecting  s  to  some  s'.  If  sa<(<r)  equals  {l,...,m},  then  sBs'j, 
holds,  which  leads  to  ^0(5)  >  contradicting  the  fact  that  er  is  leveled.  It  follows  that  at  j 

least  some  Fi  is  not  fulfilled  in  <t,  and  therefore  ^i(s)  <  m.  | 

P2.  For  every  9-stuie  s  and  its  successor  s',  either  s'  satisfies  q,  or  5(s)  ^  ^(s'),  I 

Assume  that  s'  does  not  satisfy  q.  We  have  already  shown  that  ^0(5)  >  So(s').  If  ^0(5)  > 
then  clearly  S{s)  ^  S{s').  In  the  other  case,  i.e.,  ^o(’S)  =  ^o(.s0»  fi®  *  ^  By  the  ' 

definition  of  ^i,  there  exists  a  leveled  segment  :  s',...,s",  such  that  i  is  the  smallest  index  | 
of  a  fairness  requirement  Fi,  which  isi,  not  fulfilled  in  a'.  Consider  the  augmented  segments 
<7  :  s,s',...,s".  Clearly,  a  is  leveled  and  any  Fj  fulfilled  in  a'  is  also  fulfilled  in  &.  It  follows^ 
that  the  deficit  of  a,  A(a)  >  A{<t')  =  t.  Since  a  is  only  one  of  the  leveled  segments  depaitiugf 
from  s,  and  5|(s)  is  defined  to  be  the  maximum  of  the  deficits  of  all  such  segments,  it  follows!; 
that  6i(s)  >  X.  I 


P3.  Let  s  be  a  v-state.  such  tliat  —  /•  f-et  .s'  be  a  r-siiccessor  of  .s.  where  t  is  one  of  the 

transitions  of  J*,.  1  lien,  either  s'  satisfies  or  S{s)  >-  Sis'). 

It  is  sufficient  to  consider  the  case  that  s'  does  not  satisfy  q  and  that  ^o(.')  =  ^'nd  to 

show  that  (5i(,.s)  >  tS(.s').  Assume,  to  the  contrary,  that  <5i(.s)  =  <5i(s')  =  i.  Let  a'  : 
be,  as  before,  the  segment  realizing  the  deficit  i  for  s'.  Clearly,  the  augmented  segment 
c  :  s,s',  ...,s"  fulfills  all  the  requirements  fulfilled  by  cr',  and  in  addition  also  fulfills  F,.  It 
follows  that  A(<r)  >  i,  and  therefore  also  <5i(s)  >  i,  contradicting  our  original  assumptions. 

We  proceed  to  show  that  all  the  premises  of  the  f-resp  are  satisfied  by  these  definitions.  We  have 
already  shown  that  Fl  is  valid.  f 

F2.  €  A)  I 

Clearly  <5o  and  Si  are  defined  on  every  <^-state.  It  follows  that  S  is  also  defined.  | 

For  the  next  premises,  we  identify  for  each  value  a  =  (oq,  t)  €  A,  the  helpful  f(iii^e.ss  requirement' 

F,  =  (EM  he  F,  =  {EuTi).  I 

I  . 

F3.  {<P  A  (J  =  q)}  T  {<7  V  A  (<5  X  q))}  | 

It  is  straightforward  to  show  that  if  s'  is  a  successor  of  a  s^-state  s,  then  either  s'  satisfies  q  or  it  is; 
also  a  <i^-state,  which  by  property  P2  above  satisfies  6(s)  y  S{s').  | 

F4.  {-^A(5  =  a)}7;  {9v(9A(^Xq))}  |; 

Let  s  be  a  ‘r^-state,  such  that  Si{s)  =  t,  and  s'  a  T-successor  of  .s,  for  some  transition  t  €  Ti.  Iff 
s'  does  not  satisfy  9,  then  it  clearly  satisfies  and  by  the  propertv  P:3  stated  above,  also  satisfies? 
6{s)y6{s').  '  I 

For  the  case  that  F,  =  (F,,T,)  is  a  continual  fairness  requirement,  we  proceed  to  show  { 

C5.  A  (5  =  a)]  =^{qV  En{Ec))  | 

T  L 

Let  s  be  a  v?-state,  not  satisfying  q,  such  that  (5i(s)  =  i.  Let  a  ;  s . s"  be  the  segment  realizing? 

the  deficit  i.  If  F,  were  disabled  on  s,  then  according  to  the  definition  F  would  have  been  fulfilled 
in  (7.  We  conclude  that  Ei  must  be  enabled  on  s. 

For  the  case  that  Fj  =  {Ei,Ti)  is  a  recurrent  fairness  requirement,  we  proceed  to  show 
R5.  T -  {Fa}  h  [v?  A  (5  =  q)]  =>-  0[9  V  (<,9  A  (5  X  q))  V  Fn(Fa)l  f 

Let  P'  denote  the  program  which  is  identical  to  P  in  all  components,  e.xcept  that  the  recurrent;; 
fairness  requirement  ti  =  Fa  has  been  removed  from  its  combined  fairness  set  T.  We  proceed  tof 
show  that  P’  1=  i\  where  0  is  the  state  formula  whose  validity  is  claimed  to  be  provable  in  R.5.| 
.Assume  to  the  contrary,  that  ^  is  not  valid  over  P'.  In  that  case  there  must  exists  <7,  a  computation! 
of  F',  containing  at  some  position  j  a  V’-state  s  with  rank  a.  (and  ^j(s)  =  t),  such  that  no  position f 
beyond  j  satisfies  7  V  A  (5  -<  a)^  V  En{Ei).  Being  a  computation  of  P'  means  that  it  satisfies  aU| 
the  fairness  requirements  pose.'  by  P,  except  possibly  Fi.  However,  since  En(Ea)  =  En(Ei)  is  one! 
of  the  disjuncts  excluded  beyond  position  j,  it  follows  that  Ei  is  enabled  only  finitely  many  timesf 
on  cr,  which  implies  that  <t  is  fair  also  with  respect  to  F,  and  is  therefore  also  a  computation  of  P.| 
This  violates  our  original  assumption  that  is  valid  over  P.  I 

If  we  base  our  completeness  proof  on  induction  on  the  size  of  F,  the  combined  fairness  set,  wef 
have  just  reduced  the  completeness  problem  of  response  properties  for  programs  with  |F|  =  n  +  l.l 
to  that  of  program  with  |F|  =  n.  By  such  an  induction,  since  we  have  just  sliown  that  I"  1=  c.  ilf- 
follows  that  P'  F  »/>,  as  is  required  by  R5.  I 
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Note  that  llie  reduction  implied  by  premise  R5  always  removes  from  IF  a  recurrent 
recjuirement.  1  liis  implies  that  alter  any  number  of  such  removals  F  will  still  contain  the  continual 
fairness  requirement  (T,T),  and  therefore  \F\  >  1. 

It  follows  that  the  base  case  for  the  induction  can  be  I/"]  =  »  =  1.  In  this  case,  the  only  helpful 
requirement  can  be  (7  ,T).  The  arguments  above  are  fully  applicable  for  this  case,  except  that  the 
case  leading  to  R5  never  arises,  since  the  helpful  requirement  is  always  a  continual  requirement,  j 

Progress 


Lastly,  we  consider  proving  the  completeness  of  our  proof  system  for  proving  formulae  of  the  form 
(pA  DOr)  =^Oq,  for  state  formulae  p,  q,  and  r.  A  helpful  intuition,  which  will  guide  us  in  the  proof, 
is  that  such  a  formula  is  valid  over  P  iff  the  response  formula  is  valid  over  a  program 

which  differs  from  P  by  having  an  additional  continual  fairness  requirement,  which  demands  that 
every  computation  contains  infinitely  many  r-states. 

With  this  understanding,  we  proceed  in  a  route  very  similar  to  that  of  establishing  completeness 
for  response  properties.  We  consider  first  the  general  case  of  a  program  that  has  both  continual 
and  recurrent  fairness  requirements. 


As  a  first  step,  we  formulate  a  combined  rule  for  progress,  using  a  notation  similar  to  that  of  the 
F-RESP  rule,  with  some  small  changes.  We  define  the  combined  fairness  set  =  {(^,  T/>)}  U C  U  71. 
Thus,  the  set  F ,  contains,  in  addition  to  the  continual  fairness  requirements  taken  from'C,  and 
the  recurrent  fairness  requirements  taken  from  7i,  also  the  special  “fairness”  requirement  (4>,Tp). 
This  virtucil  fairness  requirement  contains  no  transitions  in  its  E  set,  but  restricts  our  attention  (as 
may  be  seen  from  the  rule)  to  computations,  in  which  r  occurs  infinitely  many  times.  We  represent 
the  requirements  contained  in  by  the  list  Fo,  Fi, where  Fi,...,Fm  are  the  real  fairness 
requirements,  and  Fo  =  {4>.,Tp)  is  the  virtual  one.  Following  is  the  combined  rule  for  progress. 


Theorem  7.4  (Completeness  for  Progress)  The  rule  f-prog  is  complete,  relative  to  asser- 
iional  validity,  for  proving  the  validity  of  progress  formulae  of  the  form  (p  A  □O’’)  =>"09,  u'hfi  e 
p,  r,  and  q  are  state  formulae. 
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Proof:  Assume  the  formula  (p  A  n0r)=>-0<7  to  be  valid  over  the  program  P.  We  adopt  the 

eefimtions  of  9,  and  <7-free  segments,  from  Theorem  7.3.  We  slightly  modifv  the  definition  of 
lulhllment  m  a  segment  to  read  as  follows: 


r  Jn'j^  segment  cr  :  s,,  ...,5^  and  a  fairness  requirement  Fi  =  {E„Ti)  6  Fr.  we  say  that  /’.  is 
fulfilled  in  cr  if  one  of  the  following  holds: 


•  i  >  0  and  some  transition  of  Ti  is  taken  in  <t* 

•  t  >  0,  Fi  IS  a  continual  fairness  requirement,  and  Ei  is  disabled  on  some  state  in  a. 

•  1  =  0  and  some  state  in  c  satisfies  r. 


Thus,  we  associate  the  fulfillment  of  the  set  Fo  =  {<f>,  Tp)  with  the  satisfaction  of  r.  We  define  the 
set  sat(cr),  for  a  segment  a,  as  before,  except  that  its  range  may  now  be  any  subset  of  {0, 1, ....  m}. 
Similarly,  we  define  the  relation  B  to  hold  between  two  states,  s  and  s',  if  there  exists  a  segment 
a,  connecting  them,  such  that  satia)  =  {0,l,...,m}.  The  relation  B  is  well-founded,  because 
M  infinite  sequence  of  F-related  V^’-states  gives  rise  to  a  computation  violating  (p  A  □Or)=^-0<7. 
Consequently,  we  obtain  the  primary  ranking  Sq.  The  definition  of  the  deficit  A{<t)  of  a  segment  a 
IS  precisely  the  same  as  the  corresponding  definition  in  Theorem  7.3,  except  that  it  now  ranges  over 

1  _ 1  ^  secondary  ranking  and  to  the  definition  of  the  combined  ranking 

d  -  (do,  di),  which  ranges  over  pairs  (oo,  s),  with  qq  an  ordinal,  and  0  <  i  <  m. 

It  IS  straightforward  to  verify  that  properties  Pi  and  P2  are  still  valid,  as  is  P3  for  di(s)  =  t  >  0. 

A  special  consequence  of  the  definitions  above  is  that  if  s  is  a  V-state,  which  satisfies  r,  then 
di(«)  >  0. 

We  may  now  turn  to  establish  the  validity  of  the  premises  of  the  rule.  Premises  Fl,  F2,  and  F3, 
follow  from  arguments  similar  to  the  ones  presented  in  the  case  of  the  response  rule. 

Given  a  parameter  a  =  (oo,:),  we  identify  the  helpful  fairness  requirement  F^  as  /<  €  F, 
Premise  F4,  which  is  applicable  only  in  the  case  that  i  >  0,  is  justified  by  arguments  similar  to 
ose  of  the  response  case.  So  are  premises  C6  and  R6,  which  are  also  applicable  only  to  the  cases 

*  >  0.  Considering  R6,  the  inductive  argument  has  to  consider  a  similar  progress  property  for  a 
simpler  program. 

Preimse  F5  holds  trivially,  since  by  the  observation  above,  there  can  be  no  V>-state  s,  satisfying 
r,  such  that  i  =  di(s)  =  0.  »  J  6 

Using  the  constructions  employed  in  the  proof  of  this  theorem,  it  is  possible  to  derive  the 
following  corollary. 

Corollary  7.1  (Completeness  of  Progress  under  Continual  Fairness)  For  a  program  with 
no  recurrent  fatm^s  requirements,  the  c-prog  rule  is  complete,  relative  to  assertional  validity,  for 
proving  tht  ^  ^validity  of  any  progress  property. 

Proof:  Assume  the  formula  p=^Oq  to  be  valid  over  the  program  P,  which  has  only  continual 
fairness  requirements.  We  adopt  the  definitions  of  the  assertion  the  ordering  B,  shown  to  be 
well-founded,  and  the  ranking  function  ^o,  based  on  B,  from  the  previous  theorem.  We  take  for 
the  ranking  6  required  by  the  c-prog  rule.  It  is  not  difficult  to  see  that  this  choice  of  V>  and  6 
satisfies  premises  CI-C3  of  the  rule.  Let  us  consider  premise  C4.  Assume  a  computation,  in  which 
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the  state  s  at  position  j  satisfies  r  A  and  has  the  rank  ^o(-'‘)  =  difficult  to  see  that 

there  must  be  another  state  J,  at  position  k  >  j,  such  that  either  s  satisfies  </,  or  the  segment  s — s 
is  q-frce  and  fulfills  all  the  (continual)  fairness  requirements  associated  with  P.  In  the  later  rase 
sBs  (since  s  satisfies  v^),  and  according  to  clause  a  of  Lemma  7.1,  this  implies  that  >  ^o(^)- 

This  establishes  premise  C4.  j 
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